Data breach fines to jump following EU GDPR adoption

The UK is set to adopt the European Union's General Data Protection Regulation (GDPR), which will increase the maximum fine the Information Commissioner's Office can impose upon companies who have not adequately protected themselves against data theft from £500,000 to £17 million or four percent of turnover.

Responsible for enforcing data protection legislation in the UK, the Information Commissioner's Office (ICO) investigates reports of data leaks, thefts, and breaches by companies. Should it find that a company has not been taking adequate care to protect customers' personal data, it can levy fines - technically 'monetary penalty notices' - of up to £500,000, which is then paid back into the government's general taxation pot.

Under the General Data Protection Regulation of the European Union, though, this limit is set to be increased to a whopping £17 million or four percent of the company's turnover, whichever is greater. Due to come into force in 2018, the UK has confirmed that it will adopt the GDPR regardless of where in the process of rescinding its membership of the European Union it may be at the time. In short: The ICO is about to get a significantly bigger set of fangs.

Sadly, it's entirely possible that it may never use its newly enlarged bite: Although it is able to enforce penalties of up to £500,000 at present, the closest it has ever come was a record £400,000 penalty levied against TalkTalk for its part in failing to safeguard customer data prior to a major breach discovered earlier this year. Previous fines have been even further below the upper limit, with Sony penalised just £250,000 for a breach which saw 2.2 million users' credit card details leaked as a result of significant failures in the company's security procedures.

ICO's last penalty limit increase came in 2009, when the previous maximum of £250,000 was doubled.